Stolen laptops have led to major HIPAA enforcement actions, announced yesterday, for two more covered entities. Concentra Health Services (Concentra) and QCA Health Plan, Inc. of Arkansas have paid the HHS Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the HIPAA Privacy and Security Rules. These significant settlements underscore the importance of an ongoing and sufficient security management plan that actively seeks to protect and safeguard ePHI. OCR opened a compliance review with Concentra upon receiving breach reports that an unencrypted laptop was stolen from one of their facilities – a physical therapy center in Missouri. 
In their subsequent investigation, the OCR discovered that while Concentra had previously recognized in multiple risk analyses that a lack of encryption on mobile and other devices containing ePHI was a critical risk, they failed to adequately and consistently remediate this risk. According to the Resolution Agreement, Concentra also failed to document why encryption was not reasonable and where appropriate, implement an equivalent alternative measure to encryption. Furthermore, ORC found that their security management process was insufficient overall, leaving patient PHI vulnerable throughout the organization. Concentra agreed to settle the potential violations and will pay HHS a fine of $1,725,220. They will also be subject to comply with an extensive Corrective Action Plan which requires a new risk analysis be completed in the next 120 days, followed by implementation of a detailed risk management plan outlining how risks will be remediated. Concentra must also conduct security awareness training with its employees and provide a detailed update regarding the encryption status of all old and new equipment purchased over the next two years. Finally, they must submit to HHS an annual report at the end of each year outlining their compliance with these actions. Separately, OCR received a breach notice in February 2012 from QCA Health Plan, Inc. (QCA) of Arkansas, reporting that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car. While QCA did take action to encrypt their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA has agreed to settle these potential violations and will pay HHS a fine of $250,000. QCA will also need to comply with a Corrective Action Plan which requires an updated risk analysis and subsequent risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI and ongoing documentation to prove ongoing compliance. QCA is also required to ensure its workforce has been adequately trained on security measures. The full Resolution Agreement can be viewed here. Covered entities and business associates can learn something very important from these two significant settlements. Takeaways include:
- Many hospitals, medical practices and other providers participating in the Meaningful Use program are dutifully completing their risk analysis—yet as soon these reports are created they sit on the shelf and become dust collectors – with the remediation recommendations ignored. While the requirement for risk analysis is not new (it has been the law since 2005) many hospitals and medical practices began conducting risk assessments only when the meaningful use program began paying them do comply. Many organizations now have 3 risk analyses (in 2011, 2012 and 2013) that provide damning evidence that risks and remediation recommendations are being ignored. HIPAA requires that these recommendations be implemented!
- Remediation recommendations cost money to implement and this reality cannot be avoided. Because financial constraints are always a factor, a good risk assessment will prioritize recommendations to deliver the best bang for the buck. Usually mobile device encryption represents one of the best security values since loss of medical devices containing ePHI is a high probability event, and device encryption is relatively inexpensive. Insist that your risk analysis prioritize remediation recommendations. It is not mandatory to implement all recommendations, but a good track record of implementing the most important ones is essential.
- The enforcement action against QCA Health Plan, like the recent settlement action against Adult & Pediatric Dermatology, P.C. [read our earlier post here] show that the time to encrypt is before the breach and not after. In both of these cases, the covered entity scrambled to encrypt after the breach – yet OCR did not look kindly on this after-the-fact attempt at compliance.
- For the many organizations that have not benefited from the meaningful use incentive program (that is, those who have not been lucky enough to receive payments for HIPAA compliance), like health plans, long-term care providers, physical therapy providers, home health agencies, business associates, etc., make sure that you begin your HIPAA Security compliance program with a good risk analysis.
